Fraud Advisorhttp://www.experian.com/blogs/fraud-advisor Quarterly newsletter dedicated to the fraud industryTue, 18 Dec 2012 00:22:59 +0000en-UShourly1http://wordpress.org/?v=3.8.2Introducing Precise Matchhttp://www.experian.com/blogs/fraud-advisor/2012/12/precise-match/ http://www.experian.com/blogs/fraud-advisor/2012/12/precise-match/#commentsFri, 14 Dec 2012 00:31:50 +0000http://www.experian.com/blogs/fraud-advisor/?p=119Experian Fraud and Identity Solutions continues to invest in its fraud risk and identity verification platform. This commitment is demonstrated by one of our largest initiatives to date — the optimization and expansion of CheckpointSM, our demographic and identity-element matching database. Checkpoint is undergoing comprehensive enhancements using a phased approach. As part of the development, a new name has been created for the launch: Precise MatchSM.

Phase 1 of Precise Match (aka Checkpoint) includes many technology enhancements: a new architectural environment using new technology on a new and improved Fraud platform. The new environment was designed to scale for future growth with the capability of handling big data, yet it still maintains the integrity of the legacy system and provides the Checkpoint data quality as well.

Precise Match has enhanced matching logic, and the search and match now includes the ability to identify a match under conditions where the match is less than exact, such as close matches, partial matches and even low confidence matches. As a result of the new search and match algorithm, Precise Match will add more than 400 more granular result codes to those available in the existing Checkpoint. To facilitate use, the result codes have been grouped into six confidence levels and clients may opt in to receive them via the confidence group. A chart highlighting differences between Precise Match and Checkpoint follows.

Comparison Chart

Precise MatchSM

CheckpointSM

Optimized search logic designed to capture the most records for matching purposes

More than 400 new, additional result codes providing additional granularity when a close or partial match rule fires

Standard result code set of 28

New data sources used in individual segments, with plans for additional data sources in the future

Standard data sources used for matching

New configurability options to provide greater control and flexibility

Existing configurability

Note: Precise Match is not available to the legacy Authentication Services platform or within Biz IDSM.

With robust personally identifying information (PII) data and enhanced match result codes featuring client-selected confidence levels, Precise Match represents Experian’s next generation of demographic and identity-element matching. Deeper regulatory and compliance checks, increased efficiency, lower operational costs and reduced customer friction are just a few of the many benefits. Precise Match Phase I features enhanced address search and match and is available starting in January 2012. Existing clients who are interested in learning more should contact their Experian representative. To use Precise Match, it will be necessary to submit a change request, opt in and identify which Result Code Confidence Groups will be used.

]]>http://www.experian.com/blogs/fraud-advisor/2012/12/precise-match/feed/24The difficulty in finding “average” fraud rateshttp://www.experian.com/blogs/fraud-advisor/2012/12/finding-average-fraud-rates/ http://www.experian.com/blogs/fraud-advisor/2012/12/finding-average-fraud-rates/#commentsFri, 14 Dec 2012 00:31:36 +0000http://www.experian.com/blogs/fraud-advisor/?p=112While it is a common question or discussion topic, the concept of an “average fraud rate” is an elusive one. Here are several reasons why.

Natural fraud rate versus production fraud rate

The natural fraud rate is the number of fraudulent attempts divided by overall attempts in a given period. Many businesses don’t know their natural fraud rate, simply because in order to measure it accurately, you need to let every single customer pass authentication regardless of fraud risk. However, who wants to sacrifice their bottom line for the empirical purity? So the question becomes, “If I stop a transaction due to fraud risk, how do I really know if that was fraud versus a legitimate customer that I have turned away?

What most businesses can and do see, however, is their production fraud rate — that is, the fraud rate of approved customers after using some fraud prevention strategy. If your fraud model offers any detection value at all, then your production fraud rate will be somewhat lower than your natural fraud rate. Since everyone has their own specific fraud-prevention strategies in practice, any attempts at finding an “average” are muddied.

How do you count frauds?

You can count frauds in terms of dollar loss or raw units. A dollar-based approach might be more appropriate when estimating the return on investment of your overall authentication strategy. A unit-based approach might be more appropriate when considering the impact on victimized consumers and the subsequent impact on your brand. If using the unit-based approach, you can count frauds in terms of raw transactions or unique consumers. If one fraudster is able to get through your risk management strategy by coming through the system five times, then the consumer-based fraud rate might be more appropriate. In this example, a transaction-based fraud rate would over-represent this fraudster by a factor of five. Any fraud models based solely on transactional fraud data would thus be biased toward the fraudsters who game the system through repeat usage. Clearly, then, how you quantify your fraud impacts how you measure it. Therefore, another sticking point for determining the “average fraud rate” is based on what makes up the numerator and the denominator.

Different industries. Different populations. Different uses.

Experian’s fraud-risk and authentication tools are used by companies from a wide variety of industries. Would you expect the fraud rate of a utility company to be comparable to that of a money wire service? What about online lending versus deposit account opening? Furthermore, different companies use different fraud prevention strategies with different risk buckets within their own portfolios. One company might put every customer at account opening through a knowledge based authentication (KBA) session, while another might only ask the riskier customers out-of-wallet questions. Some companies use authentication tools in the middle of the Customer Life Cycle, while others employ fraud-detection strategies at account opening only. All of these components further complicate the notion of an “average fraud rate.”

Different levels of authentication strength

Even if you have two companies from the same industry, with the same customer base, the same fraudsters, the same natural fraud rate, counting fraud the same way, using the same basic authentication strategies, they still might have vastly different fraud rates. Let’s say Company A has a KBA strategy configured to give them a 95 percent pass rate, while Company B is set up to get a 70 percent pass rate. All else being equal, we would expect Company A to have a higher fraud rate, by virtue of having a less stringent fraud prevention strategy. If you lower the bar, you’ll definitely have fewer false positives, but you’ll also have more frauds getting through (false negatives). An “average fraud rate” is therefore highly dependent on the specific configuration of your fraud prevention tools.

Natural instability of fraud behavior

Fraud behavior can be volatile. For openers, one fraudster seldom equals one fraud attempt. Fraudsters often use the same techniques to defraud multiple consumers and companies, sometimes generating multiple transactions for each. You might have hundreds of fraud attempts from the same fraudster. Whatever the true ratio of fraud attempts to fraudsters is, you can be confident that your total number of frauds is unlikely to be representative of an equal number of unique fraudsters. What this means is that the fraud behavior is even more volatile than your general consumer behavior, including general fraud trends such as seasonality. This volatility, in and of itself, correlates to a greater degree of variance in fraud rates.

The value of feedback

One of the best tactics you can take to better understand your fraud rate, and more importantly, to win against those that would commit fraud against you, is to close the feedback loop on the outcome — what was fraud and what wasn’t. As a client, one easy way to realize more value from the services and products you employ is to share that — confidentially of course — with the product analysts who know them best and can provide invaluable analysis and recommendations on optimum settings to ensure you protect yourself.

Conclusion

For the reasons described here, claims of an industry average fraud rate should be considered very subjective, and any claims of an authoritative average should be taken with a grain of salt. At the very least, fraud rates are a volatile thing with a great deal of variance from one case to the next. It is much more important to know your average fraud rate, than the average fraud rate.

]]>http://www.experian.com/blogs/fraud-advisor/2012/12/finding-average-fraud-rates/feed/7Knowledge based authentication for sales enablementhttp://www.experian.com/blogs/fraud-advisor/2012/12/knowledge-based-authentication/ http://www.experian.com/blogs/fraud-advisor/2012/12/knowledge-based-authentication/#commentsFri, 14 Dec 2012 00:31:27 +0000http://www.experian.com/blogs/fraud-advisor/?p=97Let’s face it. Today’s world is fast-paced. Consumers today want to transact on demand and instantly. On the flip side, businesses want to make safe, instant decisions and distribute their goods and services right away to recognize the revenue. Add to that the fact that the “point of sale” is now everywhere the consumer is. For example, shop for a car online, get directions to the dealership on your smartphone, finance it, then drive it home tonight. Same goes for retailers. Order a new flat-screen television from your tablet and have it shipped overnight, and you’re ready to go for the big game. You get the point. Is instant decisioning and immediate purchase approval really that important? Absolutely.

To illustrate the point, let’s consider a hypothetical example of a credit card company that issues bankcards online via Web applications. They’ve done a good job of setting up credit score criteria to auto-decision around, but they didn’t bother including knowledge based authentication (KBA), as they thought that the costs were high and that missed customer opportunities wouldn’t really add up over the long term. Were they right? Let’s run some numbers and see.

Over the course of any given week, our card issuer runs an average of 1,000 credit card applications, or 4,000 applications per month on average. The average credit limit they approve is $2,000. So for any given week, they approve $700,000 in new lines or $2.8 million per month.

A summary of their monthly processing stats prior to running applications through KBA service looks like the following:

Automatic system approvals — 35 percent ($2.8 million in new credit limits)

Automatic system declines — 25 percent ($2.0 million in new credit limits)

Now let’s say this same company decided to add in KBA to their online account opening process in an effort to reduce the manual reviews. More approvals mean more new bookings today, new revenues recognized more quickly and a reduction in manual labor costs. What’s the benefit? Try the fact that the average credit limits approved for any given month goes from $2,800,000 to $4,400,000 million, which represents a 57 percent lift in new credit limits. The icing on the cake is the card issuer saves $12,000 ($144k/year) in labor costs by having consumers self-authenticate through KBA questions.A summary of their monthly processing stats after switching to run applications through KBA looks like the following:

One of the most frequently asked questions is: How do I “try-out” KBA? Or similarly, how do I run a head-to-head test against my current vendor?

We’ve had more clients recently express interest in the ability to “try-out” KBA. After all, why risk moving your business in a direction that you’re not comfortable with up front? Makes sense, right? We at Experian agree. You deserve full disclosure up front, and you deserve the ability to run a test to understand the benefit. We heard you, and as a result, we now have additional options and testing processes in place to help you do just that. Additionally, we’ve created a consulting process to help you evaluate the current KBA vendor you’re doing business with, in an effort to truly understand if you’re getting the most out of the service or if Experian’s Fraud tools would do a better job.

New to KBA?

The testing process is simple and straightforward. If you’re new to KBA, then you’ll simply provide information to us about the consumers with whom you’re doing business, and we’ll take it from there. We’ll come back to you with an overall analysis of what KBA questions could have been presented to your customers, along with suggestions around how to best interact with those consumers to retain their business, while at the same time balancing the necessary fraud checks to keep your company secure.

Want to compare Experian to your current KBA provider?

Again, the testing process is simple and straightforward. You would simply provide information to us about the consumers with whom you’re doing business, along with your current business operating processes and procedures where KBA is in use, and we’ll take it from there. We’ll come back to you with an overall analysis of what KBA questions could have been presented to your customers, along with opportunities to improve your business processes using Experian. If you’d like, we can even take it a step further by evaluating the effectiveness of the current KBA service you have in place.

What to look for if you decide to run a test on your own without Experian:

i. For the KBA vendor, what data source categories are used to generate questions? Tip: You want a provider that has a data diversification strategy comprised of multiple data sources, both credit and noncredit, from which to draw questions.

ii. Does the KBA vendor offer its own consulting services that include performance monitoring of the KBA service, so you know how and if the product is working correctly? Tip: This is critical to knowing whether the KBA service is working. Think of it simply as your very own KIQ optimization strategy.

iii. Does the KBA vendor provide product configuration options that include a scoring matrix?

Combination of fraud score and question performance

Customizable score breaks and thresholds

Increase the pass rate of good consumers while eliminating fraud with custom velocity checks like use limits and concurrency checks

]]>http://www.experian.com/blogs/fraud-advisor/2012/12/knowledge-based-authentication/feed/3Fraud and depositshttp://www.experian.com/blogs/fraud-advisor/2012/12/fraud-and-deposits/ http://www.experian.com/blogs/fraud-advisor/2012/12/fraud-and-deposits/#commentsFri, 14 Dec 2012 00:31:15 +0000http://www.experian.com/blogs/fraud-advisor/?p=116Fraud in the deposit space is an underserved, often misunderstood area. Traditionally, fraud for financial institutions and retailers has been identity-related fraud where misuse of a third party’s identity leads to an unauthorized credit account. This credit account is then used to make purchases, cash advances, etc. until the line is depleted.

Deposit fraud is a different animal. For purposes of clarity, let’s make a distinction between two types of deposit-based fraud.

Deposit first-party fraud

This type of fraud occurs when an individual uses his or her own name, address and information to obtain an account or goods without any intention of repayment. First-party fraud can range from the hundreds to tens of thousands of dollars, but the key component is that the individual perpetrating the fraud is the true applicant and the information provided is true and valid.

Deposit new account fraud

This type of fraud occurs when perpetrators, often groups of fraudsters or fraud rings, open accounts using completely fictitious information, semi-fictitious information or “mules.” Mules are people who are recruited by a ring to commit fraud typically in exchange for a cash payment. Deposit new account fraud generally isn’t high dollar, but the volume of fraud accounts drives up processing costs and operational costs. These losses can often fall to the “cost of doing business” loss lines, with higher dollar outliers being the only evidence of the larger issue.

Unlike identity theft, deposit new account fraud is not a hot-button consumer topic or exciting media story. It often does not fall into an investigation bucket to be addressed by law enforcement due both to the low dollar amounts and the absence of “real” applicants. It is, however, a source of pain, an operational expense, and a large distraction for many banks and deposit institutions.

By its nature, deposit new account fraud is high-volume, low-dollar, “trade your name and possibly get arrested for less than $100” fraud. This is not to say that the criminals orchestrating schemes are not sophisticated. Fraud ring leaders running deposit new account fraud often deal with high volumes of applications, high volumes of applicant data, multiple email addresses, fake IDs, financial mules and debit/ATM cards for access. Let’s examine these components in more detail:

High volumes of applications: Deposit new account fraud is often profitable due to volume. Applicants are generally not “one and done” fraudsters. The payoff comes through multiple applications that may be made at multiple locations, and, if online, through multiple financial institutions.

Multiple email addresses: Email addresses are the new verification engines in the digital world. Applications by phone or online are made easier by either providing an email for pseudo-verification or for correspondence. Fraudsters may be managing dozens of email addresses as part of their scheme.

Fake IDs: customers with no credit file can meet an institution’s Know Your Customer requirements by presenting physical identification. New account desk representatives are expected or trained to verify physical identification. Fraudsters must manage which IDs are used for which accounts or purchases as the same ID is typically used multiple times.

Financial mules: These are individuals who are paid to perpetrate fraud. They are the account opening parties, the cash advance parties, the face to the crime. Mules are traditionally young student/college-aged individuals who are thin file/no file. Mules also can be recruited through the drug trade or in larger cities, the homeless. Ring leaders using mules must select individuals who are capable of opening an account and are willing to return the majority of the funds from the fraud to the handler. Mules are often used for multiple fraud attempts in a very short period of time.

Debit/ATM cards: This is the faceless channel. The ATM is the deposit product channel of choice for fraudsters. ATMs accept deposits, which is ideal for someone committing deposit new account fraud. Managing these deposits is often a science, as playing the timing game is critical to getting funds access.

So what are some tactics to managing deposit new account fraud? Often, combating deposit new account fraud comes down to deterring the fraudster’s application completely. Risk-based, trend-based funds availability can create controls that fraudsters cannot dodge. In these cases, account age, deposit amount, deposit channel (ATM, in-person, remote deposit) can drive “tiered availability,” allowing most valid customers to transact while restricting fraudsters from the “big score.”

Addressing both the applicant’s identity and the transactional risk can work to deter fraudsters from even attempting deposit new account fraud. Creating an environment that deters fraud is much more cost-effective than having an environment to recover from fraud.

Looking forward, some fraud-prevention techniques are evolving to better combat deposit new account fraud. This includes taking a broader “panorama” view of a new applicant’s behavior and looking at the relationship among all of the separate but related applicant data elements. Rather than providing a series of “snapshots,” this approach begins to predict an applicant’s risk based on the sheer volume of data element linkages that can be identified. Once integrated or layered into your existing fraud-prevention processes, this moves fraud identification toward an active, real-time function rather than a standard “bad account” matching process.

]]>http://www.experian.com/blogs/fraud-advisor/2012/12/fraud-and-deposits/feed/55 FFIEC Compliance Tips For Bankshttp://www.experian.com/blogs/fraud-advisor/2012/08/5-ffiec-compliance-tips-for-banks/ http://www.experian.com/blogs/fraud-advisor/2012/08/5-ffiec-compliance-tips-for-banks/#commentsWed, 15 Aug 2012 19:14:25 +0000http://www.experian.com/blogs/fraud-advisor/?p=21The Federal Financial Institutions Examination Council recently released the supplement to its “Authentication in an Internet Banking Environment” guidance. The deadline for meeting the new requirements is now.

These updates of the FFIEC regulations specifically address customer authentication, layered security, and other controls in the growing online environment.

Listed below are five questions about compliance with the recent guidance.

What does “layered security” actually mean? Layered security’ refers to the arrangement of fraud tools in a sequential fashion, starting with the most simple and progressing toward more stringent controls as the activity unfolds and risk increases.

What does “multi-factor” authentication actually mean? A simple example of multi-factor authentication is the use of a debit card at an ATM machine. The plastic card is an item that you must physically possess to withdraw cash, but the transaction also requires the PIN number to complete the transaction. The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication.

Who does this guidance affect? And does it affect each type of credit grantor/lender differently? The guidance pertains to all financial institutions in the U.S. that fall under the FFIEC’s influence. While the guidance specifically mentions authenticating in an online environment, it’s clear that the overall approach advocated by the FFIEC applies to any environment.

What will the regulation do to help mitigate fraud risk in the near-term and long-term? The guidance is an important reinforcement of several critical ideas: Fraud losses undermine faith in our financial system, and the tools to fight fraud must evolve constantly. Fraud tactics evolve constantly.

How are organizations responding? Research indicates that less than half of the institutions impacted by this guidance are prepared for the exams. Many fraud tools, particularly those used to authenticate individuals, were deployed as point-solutions. There is a need for a feedback loop to identify vulnerabilities, or the ability to deploy a risk-based, “layered” approach the guidance is seeking.

]]>http://www.experian.com/blogs/fraud-advisor/2012/08/5-ffiec-compliance-tips-for-banks/feed/3Speed Is the Key to Beating New Account Fraudhttp://www.experian.com/blogs/fraud-advisor/2012/08/speed-is-the-key-to-beating-new-account-fraud/ http://www.experian.com/blogs/fraud-advisor/2012/08/speed-is-the-key-to-beating-new-account-fraud/#commentsWed, 15 Aug 2012 19:14:14 +0000http://www.experian.com/blogs/fraud-advisor/?p=18Banks and other lenders need more advanced tools to help them detect and catch fraud perpetrators, as well as find new ways to improve profit margins on their credit holdings.

The lifespan of a fraudster is short, but prolific. After a sharp and unexplained drop in identity thefts in 2010, fraud schemes climbed 12.6 percent in 2011, according to research by Javelin Strategy & Research.

The cost adds up: The mean cost for new-account fraud is $3,197, according to the recent “Javelin Strategy & Research 2012 Identity Fraud Report.” In addition, if someone succeeds in opening up an account, it typically only takes about seven days to wreak millions of dollars of damage across a wide network of unsuspecting customers, Javelin reports. Yet it typically takes institutions an average of 151 days to detect a fraud occurrence. This means that by the time account holders realize they’ve been cleaned out and their banks are calling their customers about irregular account activity, or when their credit card companies are sending them notification letters, fraudsters have already vanished into thin air. But they’ll most assuredly be back.

Where is the disconnect? Why is our industry — on the whole — so slow to react?

Some lenders simply contend that they have the strongest defense against industry theft at origination, so don’t see the need to check again after the accounts are opened. Further, to some degree, a certain amount of fraud is bound to get through because the cost of ferreting out all of it would prove prohibitive.

With so many accounts being hacked in the first seven days of a fraudster’s scheme, no financial institution or person is immune — even with the best systems in place. Fortunately, technology advances in this field have delivered new weapons to flag suspicious consumer data patterns early in an account’s history — a huge milestone. Old tactics are simply insufficient to uncover criminal activity at its current level.

One Fraudster, Geometric Damage

These two graphs assess the fraudster process at Day 0, then again at Day 7. For the latter, note how the volume of fraud can grow geometrically if risk managers are not proactive.

As the charts suggest, we have found that accounts that may have looked good when opened may have turned high-risk because of activity picked up by technology that can hone in on how data is used across numerous transactions. For example, Experian’s Precise ID for Customer Management takes advantage of data previously unavailable to identify and prevent current-account fraud during the first 30 days of an account being opened. By shifting strategies and monitoring newly opened accounts, we have found significant lift for fraud captures among our customers due to the use of this technology.

Some Tips to Help Stop or Prevent Fraud

Be aware that fraudsters bulldoze their way through accounts and disappear within 15 days, yet it takes an average of 151 days to identify fraud.

Be vigilant to warn your customers about fraudsters and identity thieves.

Ask your customers to pinpoint questionable behavior, such as new account openings without a birth date, but with the same name and Social Security number.

Re-check accounts after they have been opened, which can identify suspicious activity allows for a significant lift in fraud captures.

Last year, victims of a data breach were 9.5 times more likely to be a victim of identity fraud. Consumers who were part of a data breach had a fraud incidence rate of 19 percent, while consumers who were not had a breach rate of two percent. Also, with a shocking 67 percent jump in data breach victims in 2011, the increase correlates directly with the rise in identity fraud victims.

This rise in identity crime comes as banks and lenders continue to look for ways to improve their profit margins on their credit holdings. It also underscores the need for more advanced tools to help credit companies, banks and others detect and nab fraud perpetrators, who steal billions of dollars — both from lenders as well as innocent consumers.

]]>http://www.experian.com/blogs/fraud-advisor/2012/08/speed-is-the-key-to-beating-new-account-fraud/feed/0The role of the Social Security number in fraud preventionhttp://www.experian.com/blogs/fraud-advisor/2012/08/the-role-of-the-social-security-number-in-fraud-prevention/ http://www.experian.com/blogs/fraud-advisor/2012/08/the-role-of-the-social-security-number-in-fraud-prevention/#commentsWed, 15 Aug 2012 19:13:59 +0000http://www.experian.com/blogs/fraud-advisor/?p=15The value of the Social Security number (SSN) in the fraud prevention process is an oft-debated topic. Some companies put a great deal of emphasis on the SSN, while others feel the value of it has been lost. Those in the latter category may not even request it from their customers in the application process. The position is that the value they get from the SSN for fraud prevention does not outweigh the customer experience principles they are working to achieve.

The use of Social Security numbers in authentication and fraud prevention has been a constant topic for the media in terms of how this process impacts a person’s privacy. Recent policy changes by the Social Security Administration (SSA) have affected the availability of SSN data. The most notable change took place in July 2011. This is when the SSA started issuing Social Security numbers by random versus issuing them in a range by state and date. In November 2011, the SSA announced that it would no longer include death records obtained from protected state records in the Public Death Master File (Public DMF), used by many as a means to prevent the use of deceased SSNs. This change creates additional challenges for quickly and accurately confirming an individual’s Social Security number, which is something consumers have come to expect.

Despite these new challenges, the SSN is still a critical component when it comes to fraud prevention and risk assessment. Older fraud alerts tied to the SSN often are not predictive of fraud as a standalone element. Criminals are well-versed in the application process, so they typically use a valid and issued Social Security number when attempting to perpetrate fraud. Interestingly, despite low fraud find rates, it’s still considered a common best practice to flag and review any application where a deceased SSN has been used. The next level of fraud prevention involves the common practice of data matching. For example, does the SSN match to the individual’s name and address? This tactic provides better fraud separation than the older SSN alerts but still creates some challenges. For example, when you look at SSN matches to name (meaning the full name matched but the address did not) in a sample population, 40 percent of the frauds had this match. The challenge is that 25 percent of the goods also had this message. There is clearly some separation of fraud here, but probably not enough to use this message independently for fraud prevention.

Given these challenges, is the SSN really an important piece in the fraud prevention puzzle? Despite some of the limitations, the power of analytics tells us yes.

Analytics takes in the variables of the basic SSN alerts and the matching components and blends these with other data to develop highly predictive fraud scores. Other variables tied to the SSN that lead to predictiveness in the models are the velocity indicators tied to the SSN — for example, how many times the SSN has been used in a certain period of time. There also are more sophisticated rules tied to the SSN such as if the SSN is being used by multiple parties via recent inquiries, indicating that the SSN may have been compromised and actively is being used for fraud.

To be clear, SSN information is only one part of the larger picture of risk that is composed by today’s fraud prediction models. That said, it remains a key piece of information in providing strong fraud detection and separation. The use of analytics provides the opportunity to find the majority of fraud while impacting a manageable number of cases that are not fraud. Strong scores can find approximately 60 percent or more of identity theft in a review population of 10 percent based on model validations.

So what is the bottom line? Capture and use the SSN for use in fraud prevention if you can. There is value realized by the use of analytics that really can help drive workable review rates. This approach creates the best balance between stopping fraud and keeping the customer experience “friendly.”

]]>http://www.experian.com/blogs/fraud-advisor/2012/08/the-role-of-the-social-security-number-in-fraud-prevention/feed/0Data breaches — How will your company retain the confidence of your customers?http://www.experian.com/blogs/fraud-advisor/2012/08/data-breaches-how-will-your-company-retain-the-confidence-of-your-customers/ http://www.experian.com/blogs/fraud-advisor/2012/08/data-breaches-how-will-your-company-retain-the-confidence-of-your-customers/#commentsTue, 14 Aug 2012 22:02:59 +0000http://www.experian.com/blogs/fraud-advisor/?p=12Stolen passwords, stolen credit card numbers, stolen identity information: Open any newspaper or news service, and quickly you can find a cybercrime having been committed against large, and now increasingly, midsize companies.

When this happens to your company, do you have a crisis plan in place, from mandatory letters to proactive public relations?

In a recent study by the Ponemon Institute, 72 percent of consumers who recall receiving a data breach notification letter expressed dissatisfaction with it. That feeling can directly translate into dissatisfaction with the company that sent the letter.

Read a recent article by Experian Data Breach Resolution, which can help your company improve upon the customer experience in the event that a confidence-busting data breach occurs.

Do you think you’re not a target for criminal data attacks because you’re not the size of Yahoo! or LinkedIn? The FCC recently released tips for small businesses, in response to an increasing number of criminal attempts and activity around small and midsize companies.

Given that in 2010, for the 11th year in a row, the overwhelming top consumer complaint to the FTC was identity theft, how you take action can help you regain the trust of your customers. The FTC advises organizations that handle Personally Identifiable Information (PII) to adhere to the following easily controllable measures:

Take stock. Know what personal information you have in your files and on your computer. Understand how personal information moves into, through and out of your business and who has access or could have access to it.

Scale down. Keep only what you need for your business. That old business practice of holding on to every scrap of paper is “so 20th century.” These days, if you don’t have a legitimate business reason to have sensitive information in your files or on your computer, don’t keep it.

Lock it. Protect the information you keep. Be cognizant of physical security, electronic security, employee training, and the practices of your contractors and affiliates.

Pitch it. Properly dispose of what you no longer need. Make sure papers containing personal information are shredded, burned or pulverized so they can’t be reconstructed by an identity thief.

Plan ahead. Draft a plan to respond to security incidents. Designate a senior member of your team to create an action plan before a breach happens.

As customers become more knowledgeable as to how their personal information is being collected and stored and by whom, more scrutiny and legal action will become the norm, and expectations from customers will continue to grow.

You might liken it to winning a gold medal if there were Olympics for fraud-prevention platforms.

On July 26, Experian’s Precise IDSM platform was recognized for identity proofing at Assurance Level 3, under the Kantara Initiative’s Identity Assurance Framework, one of the Federal Identity Credential Access Management (FICAM) Trusted Framework providers. As part of the process, a Kantara-Accredited Assessor determined that Experian’s Precise ID service conformed to the Identity Assurance Framework’s Service Assessment Criteria, which enable a relying party to trust the identity and security assurances from an identity or credential service provider.

This success follows months of collaborative effort between Experian’s Fraud and Identity Solutions division; an independent auditor; and Kantara Initiative, the certifying authority.

So what do all the acronyms, officious titles and identity proofing certifications mean?

Precise ID now is uniquely positioned to deliver identity proofing services (the ability to verify with reasonable certainty that a person is whom he or she is claiming to be) to the vast majority of public sector, healthcare and perhaps soon-to-be private sector entities that likely will cite certification as a requirement more often than not. Recent examples of this capability can be found in Experian being awarded the contracts for the United States Department of Veterans Affairs (VA) and the Centers for Medicare and Medicaid Services (CMS), both of which require such certification.

Several more examples of these initiatives in action:

The Drug Enforcement Administration mandated that doctors who issue prescriptions online (e-prescriptions) must conform to National Institute of Standards and Technology (NIST) guidelines that recommend technical safeguards.

The White House’s identity-management initiative to make online transactions more trustworthy — known as the National Strategy for Trusted Identities in Cyberspace (NSTIC) — is aimed at creating an Internet-identity ecosystem that uses interoperable technology standards and policies to authenticate not only consumers, but also organizations and IT infrastructure.

Experian’s Precise ID platform is being used by the Social Security Administration, Centers for Medicare & Medicaid Services and DrFirst.

Lest you think all of this applies only to the government and public entities:

Although today the National Institute of Standards and Technology (NIST) levels of assurance are most closely associated with public sector service requirements and the NSTIC Identity Ecosystem, it is highly likely in upcoming years that many private sector identity verification and fraud risk initiatives also will align with NIST levels of assurance.

As one of only two identity proofing services with this level of approval, Experian and Precise ID are well on their way to providing the standard in identity assessment and fraud risk management for both the private and public sectors.